https://github.com/osquery/osquery logo
Powered by
Title
z

Zach Zeid

09/17/2020, 2:27 PM
that doesn't make sense to me, is osquery actually keeping track here, or is the way I'm running the query incorrect?
| installed_homebrew_packages_1 | SELECT name, version from homebrew_packages order by name limit 25;                                                         | 14400    | 0          | 0             | 0           | 0           | 0         | 0         | 0           | 0              | 0                   | 0                 | 0                 |
n

nyanshak

09/17/2020, 3:08 PM
I think that since you're just running 
osqueryi --json "select * from osquery_schedule;"
, you don't actually have any queries scheduled. You'd also have to pass a config file with the scheduled queries to osqueryi (or tls config) and wait for it to execute those queries before you get data on scheduled query execution.
You probably want to schedule a query to regularly pull data from the 
osquery_schedule
table
z

Zach Zeid

09/17/2020, 3:09 PM
That doesn't make any sense though, how would I pass a config to osqueryi? and these scheduled queries do run
n

nyanshak

09/17/2020, 3:09 PM
right, but they're running somewhere else, e.g., through osqueryd
and you have an entirely-separate entity, osqueryi, that you're asking to tell you about scheduled queries
and it can't tell you about scheduled queries for osqueryd afaik
you can pass a config to osqueryi the same* way you do to osqueryd, it's a symlink and mostly the flags are the same (* except if you need to like... enable events and such)
z

Zach Zeid

09/17/2020, 3:12 PM
I'll give it a shot thanks
shouldn't this give some output? 
sudo osqueryi --profile 2 --profile-delay 1 "select * from users;" --json
n

nyanshak

09/17/2020, 3:36 PM
I don't think it should give output unless the query fails due to an error.
z

Zach Zeid

09/17/2020, 3:36 PM
wut.
that's fair.
n

nyanshak

09/17/2020, 3:37 PM
btw I'm not super familiar with the profiling code, that was based on a quick glance at 
osquery/main/main.cpp
after grepping for 
profile
t

theopolis

09/17/2020, 8:05 PM
Also, a while back someone suggested having a 
osqueryi --connect /path/to/osqueryd/extension/socket.em
such that you could inspect the runtime status of an 
osqueryd
process. It sounds like that would be helpful here.
This feature does not exist, it was only suggested.
3 Views
#generalJoin Slack
Powered by